by Daniel Kavan*

Balancing Budget and Risk

In these days of difficult economic circumstances, legal budgets, like all others, are limited. This includes litigation budgets, and, accordingly, companies are thinking twice before investing in legal action. The regulators, however, are keeping busy, and with the high fines that they are able to impose, a regulatory enquiry will always spur a company’s legal advisors into action.

In 2012 alone, the European Commission’s cartel division imposed almost €2 billion in fines[1], a large portion of which was in relation to the TV and computer monitor tube cartel involving Philips and LG. In the UK, the OFT is actively looking into sixteen different sectors and products[2] pursuant to its powers under the Competition Act 1998, not to mention other behavioural areas such as money laundering and fraud. Bribery also continues to pose a significant threat, to the internal costs of running a business as well as legal risk under the Bribery Act and other international legislation.

But why wait for a regulatory inquiry, or even worse, a dawn raid? Using legal technology, there are steps that can be taken to minimise exposure to regulatory risk. Excellent technology exists to assist with training and education, but why stop there? An active behavioural audit program can detect wrongdoing early on (perhaps in time to apply for leniency), deter unlawful behaviour, and help defend an organisation under the scrutiny of a regulator.

What the Doctor Ordered

In line with guidance from authorities such as the European Commission and Serious Fraud Office, it is becoming increasingly popular for companies to conduct “electronic health checks” by reviewing their electronic communications and information as part of their internal compliance monitoring and audit process.[3]  Such a process designed to ensure compliance with regulations and to uncover wrongdoing, can be carried out in a cost-controlled fashion to fit into a limited budget. It typically involves reviewing the emails of a few key individuals in high risk regions and functional areas of the business (such as sales) to establish whether there are any signs of concerning behaviour.  An audit such as this obviously does not mean reading every email of an employee. Aside from privacy implications, this would be unreasonably time consuming. Using analytical tools it is possible to target potentially suspicious communications, such as emails to possible competitors. Using advanced technologies it is also possible for review systems to suggest words which individuals might be using to describe certain concepts, which the legal or compliance team may not have thought of.

Individuals who know they are doing something wrong may not be so blatant as to use the corporate system (although we have seen cases where this proverbial smoking gun has been in an easily uncovered email, often ineffectively warning recipients to delete after reading to avoid the consequences of detection). It may be worthwhile investing in some level of forensic investigation to figure out whether individuals are communicating via alternative means such as social networking, web mail, mobile phone text messages or third party-instant chat messages on phones or tablets. For organisations with recorded phone calls, it may also be worth searching across audio records with speech recognition technology for certain words and reviewing a sample of the responsive conversations.

Protecting Data

Often external lawyers are instructed to carry out such an audit, or other external parties are brought in to help. A great way to control the costs of reviews such as this is outsourcing the first-pass document review element to a trusted company.If external parties are used, they need to be wary of the company’s interests in keeping the data safe and secure. Often companies will want to keep data within the country of origin or even within the walls of the company’s premises, whether that is due to concerns about privacy, trade secrets or employment law.  The right technology solutions must be used and best practices followed to ensure data is accessed, collected and handled properly to reduce the risk of breaching laws or data security or affecting the integrity of the evidence.

Real Life Experience

Recently, a team of competition lawyers approached us for help designing an audit process for their client, who had previously received a large fine from a regulator and wanted to minimise the risk of that happening again. They had set aside a fixed budget to do this across a number of international locations. The legal team agreed to conduct the review for the client at a fixed price, but given the varying information landscape across the client’s systems, they struggled to come up with a standardised, fixed-price approach to collect, search and prioritise their clients’ data in an efficient way.

After some discussion with the legal team to understand the key custodians of potentially relevant data at each location, and with the client’s IT team to understand how such data was stored, we devised an approach.This involved a local computer forensics consultant attending, without notice, each site with a lawyer to interview individual employees as their data was collected.The interview process was important, especially in some continental European locations with strict privacy practices, to help identify where private data was located so that forensic tools could be used to filter it out and ensure it was avoided by the legal team.The element of surprise was also important in order to ensure individuals didn’t have an opportunity to delete any data, as well as simulating the experience of a dawn raid by a regulator to test readiness.

Data forensically copied from the computers was processed into an online document review system for the legal team, a variety of offices to maximise the benefit of varying language skills, to review. They used search technology and visual analytics to prioritise key data and reviewed the documents of interest, reporting any concerns to the client.

Costs were controlled by selecting the number of individuals to be reviewed on each site, and doing one site at a time to fit into the budget for that period.

Conclusion

On a daily basis, individuals in a business could be could be getting involved in internal fraud, corruption, anti-competitive behaviour, harassment, breaches of security, intellectual property theft or blackmail. All of these behaviours will have an internal cost to a business, and potentially cost even more in terms of reputational damage and fines should they be uncovered in a regulatory investigation. The good news is that technology is now effective in allowing those in charge of compliance to detect such phenomena early and in a cost-controlled manner.Rather than waiting for an incident which has traditionally kicked off the need to review electronic evidence, it is also an opportunity for external lawyers to provide a pro-active service to their clients which may save them significant trouble, and money, in the long-term.

* Daniel Kavan leads the Electronic Disclosure Consultancy team at Kroll Ontrack in the UK


[1] European Commission, Statistics on Cartels, http://ec.europa.eu/competition/cartels/statistics/statistics.pdf, updated 8 March 2013

[2] Office of Fair Trading, Competition Act Investigations – current, http://www.oft.gov.uk/OFTwork/competition-act-and-cartels/ca98-current

[3] See Compliance Matters, published by the European Commission in November 2011 and the Guidance on Adequate Procedures for Preventing Bribery issued by the Ministry of Justice in March 2011.